With the worst of the financial crisis now past, banks are again turning their attention to governance, risk and compliance (GRC) frameworks. A survey published in the June 2011 issue of Operational Risk & Regulation found that 50% of financial institutions either had a GRC system in place (38%), were installing one (7%) or were planning to buy one within the next year (5%). Many companies say the ever-growing regulatory reporting requirements are pushing them to rebuild their GRC functions and centralise risk and compliance reporting. But, implementing a GRC system can be a major undertaking and can bring its own operational risks, and it is often difficult to persuade the rest of the company that the expense and upheaval are necessary.

What are the main benefits that an institution would see from implementing a GRC programme?Luc Brandts, BWise: The main benefit is that you, as a business, are in control. Rather than reacting to every new regulatory initiative or new risk management need, you can transparently report to your regulators, auditors and senior management. Thus, you can steer your company in the right direction and you can reduce costs.

Lisa White, RBS Group Internal Audit: I think there are other benefits of having an integrated system, such as having the ability to have one version of the truth across the company. Having all of the information in one place enables you to really get to the bottom of your key risks as a company and determine what your executive committee should be focusing on. And, particularly in financial services, but in other industries like the car industry as well, it shows your stakeholders they can have confidence in your safety and soundness as a firm.

Jean-Marie Zirano, MEGA: We are talking about companies, particularly in the financial industry, that need to make sure they are not going to be out of business tomorrow. Of course, that means more controls in their GRC programmes and in each of the audit, operational risk management and compliance departments. The obvious benefits are reducing costs and saving time. We also need to think about the business people who are behind these programmes who are considering the cost of these programmes and expect tangible benefits. And I think one of the main quick wins they can also gain from these GRC programmes is the clarity of their business processes.

Where does compliance with new regulations – such as the Dodd-Frank Wall Street Reform and Consumer Protection Act – fit on that list of benefits?White: It is integral to have a GRC system in place. What you tend to find is people adopt new regulations on a very siloed basis, particularly in larger companies. A GRC system gives you visibility across the company of how regulations are being implemented, and also interpreted, and what residual risk is left at the end of it. In order to get something like Dodd-Frank – which is more than 2000 pages – disseminated across a business in a consistent way, it is integral to have a GRC system.

Brandts:It is important, rather than starting from the point of view of the regulations, to take yourself as a starting point. You organise in such a way that compliance comes as an end result, rather than the other way around. Because if you do this, then the next regulation coming out next year or in the next two years will not surprise you, it will simply be an addition to the work you have already done. What are regulators asking you to do? Sometimes they are very specific, but most of the time they are saying ‘we want you to be in control and, when you are not, to be able to report it to us’.

Are you saying it is important to have a GRC system – or to future-proof your company – in order to be prepared for the implementation of Dodd-Frank and any other future regulations?White: One of the difficulties, though, with embedding a GRC system is there is so much regulation and so many processes. If you are multi-jurisdictional, how do you actually get all of that data in one place so you can understand it and keep it maintained on a regular basis? So there is definitely a challenge.

Fifty per cent of companies we surveyed did not have a GRC system or any plans to buy one soon. Is there an alternative, from a regulatory point of view, to having a GRC system? What kind of companies could manage just as well without one?White: I think there are alternatives. An integrated GRC system comes with a number of implementation requirements. You have to have a consistent taxonomy; you have to have a common risk language; and you have to have the support and buy-in at the top. Ideally, everybody should be trying to get an integrated system that drives the right risk culture and enables your executive committee to understand the material risks. But, the reality that smaller firms have, especially ones that are not distributed widely, is the advantage of being able to feel their risks on a day-to-day basis. In those instances, you have to weigh the rewards and the risk of not having the system in place. You can get by without it if you follow the same principles of bringing governance, risk and controls together, but the difficulty is that even smaller firms are now finding they still have to follow all of the regulations exactly as the big firms do.

Brandts: People understand it makes sense to integrate all of the concepts into one platform – into one way of thinking, one process and one risk language. Why isn’t everybody picking up on it today? There are answers to that. I think the reason is that it is complicated to implement. It’s a change management process and it is not something you can implement in every organisation in three months – some may take five or 10 years. Some organisations don’t need to take that step-by-step approach; they have already bought into it, and maybe have past experience. Others will need to take their time.

Do you believe GRC can be approached systematically, or does it need to be approached at a people and process level first, and automated later when the technology is available to support it?Zirano: The cultural aspect and the people and process dimensions are fundamental to implementing a GRC programme. But, there are some invariants that should always be performed. The first is to make sure the accountability is clearly defined; the second is to make sure the policies and procedures are correctly defined; and the third is appropriate communication to make sure the people who are directly involved in these programmes are aware of what is expected of them, and that business managers are aware of how these programmes affect the way they work.

White: I agree, people and processes are absolutely integral. But, if you have hard-coded the detail of how you manage governance risk and controls, you may find it very difficult to find a system that will meet your needs. Sometimes firms will have to adapt to the system instead of finding an existing system that fits. Firms that do hard-code things are in danger of never finding something that could really challenge the culture and the way that risk is managed in the firm. It is also important not to see the system as the end in itself. Sometimes what happens within big software integrations is that people start to see the tool itself as the goal – ‘as long as it’s filled in and the boxes are ticked, we’re okay’ – and that is not the case.

Brandts: If you hard-code all of your processes first, and then try to look for a solution, you will probably end up with a solution that is so complicated in its configuration that it is impossible to do anything with it. It will not grow with the market.

Zirano:Another point is that the processes we are talking about change very quickly. Even if you have mapped your processes, you know that they will need to change sooner or later so, when you adopt a system, you should make sure the system is flexible enough to easily alter the things that are subject to change.

How do you persuade an organisation that there is value in bringing in a GRC system when you are talking to business owners who simply see it as a regulatory or compliance requirement?Brandts: Sometimes, when a company is being assessed to death – as one of our customers put it – you can relieve their burden, so rather than getting the same question five times during the week, you will only ask it once and report on it five times. That is a quick benefit. One of the common misconceptions is that a GRC system is set up to be unidirectional – everything goes to corporate and there is a nice report going to senior management and maybe to a regulator, but nothing comes back. If you can provide business managers with benchmark information – for example, on how other business units are performing in comparison – it can be a big help.

White: Based on my experiences – though I hate to say it – it’s great if you have had an operational risk incident or a regulatory request. Sometimes that will get you where you want to be, albeit for the wrong reasons. But, risk managers should use incidents that take place to really sell the benefits –responding to information requests from regulators can take weeks and weeks of effort at the moment.

You have got to understand how the stakeholders do their jobs and what is important to them. What information flows are really important to enable your senior management to do their jobs? And what difference will this particular programme make that they don’t already get?

If it is only sponsored by risk, and the risk team is the only group that thinks it has any benefit, you are unfortunately doomed to failure, so you have to get the business to see that a GRC programme is actually something that would bring a benefit to them, and then they will want to get involved.

What should a company be looking for when deciding which GRC product and provider to choose?’White: It is really important before you talk to a software provider to understand what you are trying to get and what your own risk processes are, so you can describe some of the challenges that you have got, and some of the outputs that you are hoping to get.

It is also important to pick a software provider with whom you can have an honest and open conversation. A lot of them look very similar, but you need to ask: can they adapt the product to our needs? Do they recommend we take a phased approach? Do they just recommend you take it all in one go? Or, do they actually say: ‘we don’t think that would be a good idea for you’ ? Are they honest in their feedback? And, you need to bring them into the firm to see if they are a good cultural fit with your information technology (IT) team, your change team and your business areas. Often people don’t invest enough time in actually understanding their own business and building a relationship with providers before choosing, so they choose somebody and then spend the next few years actually finding out that maybe it wasn’t the best provider to have chosen.

Brandts: We get some requests for proposals (RFPs) that are very difficult to answer. Some questions are asked in such an abstract way that it is almost impossible to say no – you need to be looking for somebody who gives you a more detailed answer about what is possible and what isn’t possible, and what is best practice.

These are not simple processes. I don’t think a complex organisation can simply implement a broad GRC programme within six months. It is not about just a piece of technology. Everybody can install a CD or put something in a Software as a Service environment, but it is about trusting that they can solve your problems. And you also need to understand that the final system is not going to be exactly what you think it’s going to be today. If you take the position that it needs to be exactly what you have in mind, then you are essentially building something yourself, which is possible but very lengthy and very costly.

Zirano:Looking back over the past six or seven years of experience at MEGA, we have got RFPs ranging from half a page to 300 pages. But beyond the RFP side of the choice process for a customer, we think you need to be looking at what relationship you want to build with a provider and the fact that sometimes the solution provider is a combination of the software vendor and a consulting company. Also, you need to make sure the provider can accompany you throughout the programme – if he has been in business for a long time, the chances are he will be in business for a long time into the future. It is not just sell and go, programmes are long and often start on a small scale and expand. As a solutions provider, you need to demonstrate you are going to be able to expand across the organisation.

What are the big pitfalls to watch out for? What are the main ways in which implementing a GRC system could go wrong, and how should they be trying to avoid these?Brandts: I would say, do not customise. Do not customise is rule number one. Another common pitfall is that if a customer has a 15-step process for our risk management or compliance process, for example, he tends to think he needs to automate all 15 steps. You need to pick the three or four that hurt the most. There will be a lot of manual processes that you could theoretically automate, but it’s probably going to hurt more than it’s going to help – focus on the things you definitely want to automate rather than on the entire process.

White: For me, the key is don’t lose sight of your stakeholders. Sometimes you become so engrossed in the programme that you lose sight of the fact that people have got to implement this on a day-to-day basis as well. You also have to remember that this is a tool. It is not the solution to all of your risk management and compliance needs. And it is also important to keep communicating to your stakeholders where you are. One of the worst things that can happen is you deliver a lower-quality product in twice the time that you said, and you have to keep aware of how the environment is changing. Sometimes projects become so insular that, by the time they have delivered, the business has moved on.

Could you comment on how the legal department should be involved in the implementation and roll-out of a GRC application?White: Legal risk should be involved as much as any compliance department, especially when you consider there is so much overlap between legal and compliance. Sometimes either they don’t want to be involved or they are forgotten about, but they can bring a lot of structural thinking to a programme, so I would definitely include them.

Brandts: It is important to remember that the legal department has a different way of working. A control department has its rules and has a very process-driven way of working. The same reports need to be produced every month, every quarter, or every year. But if you look at the regulatory worlds, it is much more case-based, with specific new regulations and cases coming in. So you need to accommodate that.

Zirano: In our industry, we say align IT with business, but here it is important to align legal with business. Usually they are very distant from one another – people who are on the business side do not want to hear about the legal barriers or the constraints – but they could learn a lot from them, particularly when regulations are increasingly complex. The legal department knows what the risk of non-compliance means in financial terms.

White: Legal enable the business to make conscious risk decisions and that is what they bring to the table. One of the advantages of a GRC programme is you start to build a common risk language, and you also start to understand what is really going to hurt the organisation – whether it’s under audit, compliance, legal or risk management. It is part of the journey, which I know doesn’t help people when implementing things, and I hated it when it was said to me.

Operational risks in financial services firms are a significant capital charge, and a firm that has a solid GRC process and system could have significant advantages in terms of lower capital charges. What do you think of that as an argument for getting business owners to buy into your GRC system?White: For a lot of financial services firms, the capital charges are a lot higher in the other risk categories, so sometimes that argument works the other way. If there is a significant capital charge, I think a GRC platform is a good way of proving you have actually met those use-test requirements, which goes a long way. The other thing is you can start to integrate some of the outputs of your scenario analysis and your risk assessment into your capital models, particularly the indicators around risk appetite, and monitoring risk and compliance. Whether it is an automated GRC system or another form, you have to embed that type of governance and risk approach to the way you’re looking at things across the business in order to help with your capital calculations.

Brandts: By definition, anything that happens in the credit risk has an operational side to it, though that is sometimes a complex story. If you are a process owner, the capital charge is relevant but it is not your immediate concern, it’s not something you can influence. I think the capital charge argument does help but more at a senior level rather than a lower level in the organisation.

Zirano: We have seen firms approaching operational risk management from a purely financial point of view but, beyond making sure you have put aside the right amount of money, you also need to make sure you continue to improve your processes. For example, there are firms that adopted a purely financial approach to operational risk management under the influence of Sarbanes-Oxley Act and who are now stepping back and looking at having the right risk engine and the right processes to generate as few risks as possible.

White: One of the benefits we have not talked about yet is that having this type of information actually improves your reputation with the marketplace and the rating agencies. If you are able to provide a very clear and confident view of where you are with either compliance, regulation, or your risk profile, that is going to help in terms of the view that they have.